Chat log from the meeting on 2016-03-29

From OpenSimulator

Jump to: navigation, search

[11:03] Kayaker Magic: So Andrew, what do you think of that Mantis about the potential security issue?
[11:04] Kayaker Magic: It occured to me that the security issue could have been fixed while still allowing prims to make HTTP requests to each other, and we just haven't heard about that fix yet.
[11:05] Andrew Hellershanks: The thought is that it may you may have a configuration error. You can filter incoming traffic in the latest code.
[11:05] Andrew Hellershanks: I don't see how prim to prim communication within the same region can be a security issue.
[11:05] Gavin.Hird what is the # for that Mantis?
[11:06] Andrew Hellershanks: I will need to find time to do some tests.
[11:06] Kayaker Magic: My configuration is a copy of the OSGrid default configuration with very few changes, so this may be an issue with many other sites.
[11:06] Andrew Hellershanks: Any indication when that configuration was last updated?
[11:07] Kayaker Magic: I'm told that if a prim can do HTTP requests to other prims, it can also do other http requests to other servers on the lan. That is the security issue.
[11:08] Andrew Hellershanks: That is where the filters come in to play. HTTP in is disabled by default in OpenSim. It may be that the OS grid default configuration hasn't been updated to include some of configuration changes in git master.
[11:09] Gavin.Hird sounds plausible
[11:09] Lecktor Hannibal: I'm not seeing this issue in the mantis? Kayaker do you have an id #?
[11:09] Kayaker Magic: Oh,because it was a security issue, Andrew suggested marking it private
[11:09] Kayaker Magic: Looking it up now...
[11:10] Andrew Hellershanks: Gavin, I'd prefer not to give out the mantis number in the open until this issue can be determined whether it is, or is not, a real security issue or just a configuration issue.
[11:11] Gavin.Hird Access Denied, so security worked there :-))
[11:11] Kayaker Magic: Who can read private mantises?
[11:12] Andrew Hellershanks: I haven't had to deal with a private mantis issue in the past. It should be limited to the person who filed the report and the core developers.
[11:14] Gavin.Hird I found the periodic process I asked about the last time and it was the pruning of old group notices.
[11:15] Kayaker Magic: I don't see any date or version information in the OpenSim.ini I got with the OSGrid distribution.
[11:15] Gavin.Hird I submitted a patch to fix the casting error which was Postgres specific
[11:15] Gavin.Hird and in the process it purged my old group notes so I made a new mantis for making group notes sticky
[11:15] Andrew Hellershanks: Gavin, Purging of old group notices is something left up to the grid owners. A cron job needs to be set up to remove notices past a certain date.
[11:15] Gavin.Hird #7867 - feature request
[11:16] Gavin.Hird no, there is a job in Robust that runs every 24 hours
[11:16] Gavin.Hird it kills all that is oever 14 days old
[11:17] Lecktor Hannibal: This is the latest release version I believe Kayaker. osgrid-opensim-03062016.v0.9.0.be43fc2
[11:17] Lecktor Hannibal: At least that is the one that the d/l link is to on the OSgrid site
[11:17] Andrew Hellershanks: Gavin, Removal of old notices must be a feature of core groups. I haven't been using core groups.
[11:17] Lecktor Hannibal: At least that is the one that the d/l link is to on the OSgrid site
[11:18] Gavin.Hird correct Andrew
[11:18] Gavin.Hird It has the same behavior as in SL
[11:18] Simulator Version v0.5 ruft: OpenSim Dev 2cfe848: 2016-03-24 16:43:27 -0400 (Unix/Mono)
[11:19] Lecktor Hannibal: oh that's a dev build
[11:19] Kayaker Magic: Hmm, mine is a little older than that. How often is that replace?
[11:19] Lecktor Hannibal: There was a twitter post 3/6
[11:20] Lecktor Hannibal: so I assume that is the last release update
[11:20] Lecktor Hannibal: Andrew?
[11:21] Kayaker Magic: I installed from which I thought I just got a few weeks ago....
[11:21] Andrew Hellershanks: I'm not involved with the running of osgrid or its website. I don't know how often they update the code they provide.
[11:21] Gavin.Hird yes, the last release was early March
[11:22] Kayaker Magic: Dang, I'm going to have to repeat some tests with that new one.
[11:22] Lecktor Hannibal: :-)
[11:22] Lecktor Hannibal: Do you have a tester group yet ;-)
[11:22] Andrew Hellershanks: Kayaker, you could be repeating tests a lot if you try to keep up with the changes in the git repository. :)
[11:23] Kayaker Magic: Just the important bugs I found.
[11:26] Andrew Hellershanks: Gavin, Can you say a bit more about the patch you provided against prebuild?
[11:27] Gavin.Hird It was just that when I upgraded mono it started making complaints I had not seen before
[11:27] Gavin.Hird one of them was a non-existent project
[11:27] Gavin.Hird and the other was a missing reference
[11:28] Kayaker Magic: For those who have not heard, I've been testing vehicles crossing SIM borders and it works GREAT!
[11:28] Kayaker Magic: All my vehicles are non-physical, your mileage may vary.
[11:29] Gavin.Hird so I added the reference and removed the project
[11:29] Andrew Hellershanks: Gavin, ok. i thought mono 4.2 was ok to use but I was told that it was also one of the ones that can have issues. I'm using mono 4.3 and did not notice an error about a missing reference. I'll check it again.
[11:30] Kayaker Magic: So Andrew, I am holding my breath waiting to read your list of changes in How is that going?
[11:31] Gavin.Hird I am compiling on without any issues, it runs well too
[11:31] Kayaker Magic face turns blue
[11:31] Andrew Hellershanks: It hasn't been going anywhere this past week. I need to set aside some time to work on it. I should do a little at a time each day. That way it won't seem such a big job.
[11:32] Andrew Hellershanks: The items I've kept so far for a summary is currently about 300 lines long in about a dozen or so categories.
[11:33] Kayaker Magic: I'm hoping there is a note in there about "solving security issue without banning prim-to-prim HTTP requests"
[11:34] Andrew Hellershanks: That would need to be addressed in notes about changes in the ini files.
[11:34] Kayaker Magic: Oh, I had a problem making HTTP requests from an outside server to a prim in-world. From some servers it worked, others not. I found out the problem:
[11:34] Kayaker Magic: All the UUIDs for prims in-world have the listener port number as part of the UUID,
[11:35] Kayaker Magic: many services ban making HTTP requests that don't use a limited list of port numbers.
[11:35] Gavin.Hird as they should
[11:37] Kayaker Magic: Hmm, SL will let me make requests to URLs of prims in OpenSim, I wonder if the reverse is true...
[11:37] Andrew Hellershanks: Kayaker, look at the section of OpenSim.ini.example starting at line 499.
[11:38] Andrew Hellershanks: Also in the OpenSimDefaults.ini file starting at line 541.
[11:39] Kayaker Magic: I do not need to make HTTP requests from prim to prim.
[11:40] Kayaker Magic: I only noticed that it was possible when I thought it was supposed to be disabled
[11:40] Kayaker Magic: unless you followed those instructions and allowed it.
[11:40] Andrew Hellershanks: People using networked vendors may need that ability.
[11:40] Kayaker Magic: Since I did not allow it in my configuration, I fear it has been enabled all over OSgrid.
[11:42] Andrew Hellershanks: Kayaker, those sections of the ini files are the ones to look at in your configuration and see if they are set right. If you can set the ini files to stop the communications you think should be disabled and the osgrid ini files aren't stopping them I can pass the information along to the people running osgrid and have them update the ini files they list on their website.
[11:44] Andrew Hellershanks: I have some scripts for networked vendors but I tried using them in a while since the communications between prims was limited to prims in the same region. I haven't tried them recently in 0.9 after all the avination code was dropped in.
[11:46] Billy.Bradshaw just some libopenmetaverse info... The Open Metaverse Foundation web site is now on A few weeks ago MelanieT committed changes for SSA-capable Baker for libopenmetaverse. As part of the commit the web address was reversed to which unfortunately is no longer valid.
[11:46] Billy.Bradshaw During Latif's illness the renewal elapsed and someone jumped in
[11:47] Billy.Bradshaw So anyone chat with Melanie please inform
[11:48] Andrew Hellershanks: Gavin, I'll have a word with the other core developers about getting your Postgres changes applied. They will have to be taken on faith that they work as none of the core devs use Postgres AFAIK.
[11:48] Andrew Hellershanks: Is that .co or .com, Billy?
[11:48] Billy.Bradshaw yes co
[11:48] Gavin.Hird very good
[11:48] Billy.Bradshaw It was the best that could be acquired
[11:48] Gavin.Hird actually for someone to set up a Postgres database is as easy as running an installer
[11:49] Gavin.Hird the configuration of opensim is identical with mysql
[11:49] Andrew Hellershanks: Billy, ok. I'll pass that along. That's one of the bad things about some domain providers. Some companies will grab up anything they can the moment it expires.
[11:49] Billy.Bradshaw Dahlia is still assisting with libopenmetaverse libraries, good to see her
[11:49] Billy.Bradshaw But I think that is an MT issue
[11:51] Billy.Bradshaw I intend testing Postgres at some point Gavin
[11:51] Gavin.Hird please do as it works pretty good
[11:52] Gavin.Hird been runnin it for 1 1/2 years now and never had one corrupt record
[11:52] Andrew Hellershanks: Gavin, I'm not saying it is harder to set up a postgres based system vs. one using MySQL. Just that not as many people are using it with OpenSim
[11:52] Gavin.Hird True Andrew, but it is one of two databases supported in core :-)
[11:53] Andrew Hellershanks: Gavin, One of three if you include SQLite.
[11:53] Gavin.Hird so every release should be tested against it
[11:53] Gavin.Hird Yes, but I meant for running grid mode
[11:53] Andrew Hellershanks nods
[11:54] Andrew Hellershanks: No sane person should use SQLite for grid mode.
[11:55] Billy.Bradshaw I am currently distributing Opensim sims via Docker containers, and we use sqlite there, we have done several changes which we will submit once all the testing is complete
[11:55] Andrew Hellershanks: wow. This hour has flown by. Just five minutes left in the hour. Any other issues to be talked about today before we wrap things up for another week?
[11:55] Andrew Hellershanks: Billy, sounds good.
[11:56] Kayaker Magic: The Saturday meetings are helpful.
[11:56] Kayaker Magic: Like having two open house meetings a week.
[11:57] Gavin.Hird yes, it is good
[11:57] Andrew Hellershanks: Kayaker: Can you say something about those meetings for those who haven't attended the Saturday ones?
[11:57] Andrew Hellershanks: The time and location for those meetings would also be good to mention for those that might like to attend.
[11:58] Lecktor Hannibal: Is there a significant advantage for a user running an OSgrid connected region(s), to build and run dev or sticking to release a better idea?
[11:58] Kayaker Magic: They are at 11:00 like this meeting every Saturday.
[11:58] Kayaker Magic: Last Saturday there was a tutorial after the meeting
[11:59] Lecktor Hannibal: Yes there will be seven more of increasing complexity on configuring and running opensim
[11:59] Kayaker Magic: Eventually the tutorials will be about setting up OpenSim, this time it was a basic into to the internet and terminology
[12:00] Andrew Hellershanks: Kayaker, are those meetings also held here in Wright Plaza?
[12:00] Kayaker Magic: Right in this room
[12:00] Gavin.Hird Lecktor, for OSG I'd say probably stick to the dev releases with some days delay, but be prepared for possible data corruption
[12:01] Gavin.Hird for the rest, stick to release versions for anything that looks like production
[12:01] Lecktor Hannibal: Okay thank you for the reply.
[12:03] Andrew Hellershanks: Lecktor, The release versions are more likely to be considered stable than the code right out of the git master branch. If you want to minimize risk of running in to bugs, stick with the release versions. If you are more interested in helping test the latest code, you can use code from the git repository..
[12:03] Lecktor Hannibal: Thanks, sounds good to me. Would love to help find bugs.
[12:04] Andrew Hellershanks: Kayaker, are the tutorials being written down somewhere so they could be posted online?
[12:04] Billy.Bradshaw I see the Tuesday as leaning towards hackers and testers.
[12:05] Kayaker Magic: There were visual aids, I think he said they would be available somwhere. And there was a web page with notes. I didn't write it down.
[12:05] Lecktor Hannibal:
[12:06] Kayaker Magic: Ah! That is good!
[12:06] Andrew Hellershanks: Kayaker, ok. OpenSim isn't the easiest system to setup and there are a number of ways to tweak the performance of it. Some of the information isn't written down or always kept up to date.
[12:07] Kayaker Magic: Yeah, I'm only learning how to set it up so I can test on early versions before places like Kitely upgrade to them.
[12:07] Andrew Hellershanks: ty, Lecktor.
[12:07] Lecktor Hannibal: Sure thing.
[12:08] Andrew Hellershanks: Any last minute topics before we call this meeting closed?
[12:09] Billy.Bradshaw Thanks for sharing
[12:10] Andrew Hellershanks: Kayaker, ok. Don't want to keep you from your lunch. Check those config settings regarding prim to prim comms. I'll have a look at the configuration file on the osgrid website.
[12:11] Andrew Hellershanks: I think that will do it for another week. Thank you all for coming.

Personal tools
About This Wiki